Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael

In [15], Keliher et al. present a new method for upper bounding the maximum average linear hull probability (MALHP) for SPNs, a value which is required to make claims about provable security against linear cryptanalysis. Application of this method to Rijndael (AES) yields an upper bound of UB = 2-75 when 7 or more rounds are approximated, corresponding to a lower bound on the data complexity of 32/UB = 280 (for a 96.7% success rate). In the current paper, we improve this upper bound for Rijndael by taking into consideration the distribution of linear probability values for the (unique) Rijndael 8×8 s-box. Our new upper bound on the MALHP when 9 rounds are approximated is 2-92, corresponding to a lower bound on the data complexity of 297 (again for a 96.7% success rate). [This is after completing 43% of the computation; however, we believe that values have stabilized--see Section 7.]

[1]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[2]  Willi Meier,et al.  Nonlinearity Criteria for Cryptographic Functions , 1990, EUROCRYPT.

[3]  Mitsuru Matsui,et al.  On Correlation Between the Order of S-boxes and the Strength of DES , 1994, EUROCRYPT.

[4]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[5]  J.L. Smith,et al.  Some cryptographic techniques for machine-to-machine data communications , 1975, Proceedings of the IEEE.

[6]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[7]  Lars R. Knudsen,et al.  Practically Secure Feistel Ciphers , 1994 .

[8]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’89 , 1991, Lecture Notes in Computer Science.

[9]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[10]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’95 , 2001, Lecture Notes in Computer Science.

[11]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[12]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[13]  Carlo Harpes,et al.  A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-Up Lemma , 1995, EUROCRYPT.

[14]  Serge Vaudenay,et al.  On the Security of CS-Cipher , 1999, FSE.

[15]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[16]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[17]  Kazumaro Aoki,et al.  Strict Evaluation of the Maximum Average of Differential Probability and the Maximum Average of Linear Probability (Special Section on Cryptography and Information Security) , 1997 .

[18]  Henk Meijer,et al.  New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs , 2001, EUROCRYPT.

[19]  C. Adams A formal and practical design procedure for substitution-permutation network cryptosystems , 1992 .

[20]  H. Feistel Cryptography and Computer Privacy , 1973 .

[21]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[22]  Eli Biham,et al.  On Matsui's Linear Cryptanalysis , 1994, EUROCRYPT.

[23]  Seokhie Hong,et al.  Provable Security against Differential and Linear Cryptanalysis for the SPN Structure , 2000, FSE.

[24]  Lars R. Knudsen,et al.  Practically Secure Feistel Cyphers , 1993, FSE.

[25]  Henk Meijer,et al.  Modeling Linear Characteristics of Substitution-Permutation Networks , 1999, Selected Areas in Cryptography.